Email still the top vector for attackers
Infection chains might change, but the initiation method remains the same
While more exotic forms of attack may make headlines, it turns out good old email is still the most popular vector of attack for malicious actors, according to research from HP Wolf Security, accounting for 79% of threats.
The figure is a single percentage point down from 2022’s figures but highlights issues facing email administrators. Web browser downloads also dropped by 1% to 12%, while other vectors, such as removable media, grew to 9%.
Researchers noted that while attack chains tended to be formulaic, there had been a move to threat actors connecting different components to create something more unique – and harder to detect.
According to researchers “32% of the QakBot infection chains analyzed by HP in Q2 were unique”.
QakBot spam activity surged in Q2 2023, with the malware distributors switching between many different file types to infect PCs.
Patrick Schläpfer, Senior Malware Analyst at HP Wolf Security, told ITPro that the team had seen continuous and rapid change across various attack vectors. He gave the example of the QakBot campaigns, which showed threat actors changing their initial vector as well as techniques within the infection chain.
The state of email security 2023
Get the latest insights from 1,700 CISOs and other IT professionals as they share the steps they are taking to protect their organizations from email-based threats
He also noted the impact of Microsoft’s disabling of macros by default, which has forced a diversification of attack vectors. “During 2022, we observed attackers attempting various newer techniques such as HTML smuggling, PDF lures, and also OneNote documents – which is particularly interesting as OneNote attacks do not rely on macros,” he said
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Schläpfer noted that most attacks were wide-ranging rather than targeted as attackers attempted to gain a foothold in a system. He shared statistics with ITPro collected over the course of Q2 2023 that show over half (51.5%) of malicious email attachments were archives and almost a quarter (24.4%) were documents. PDFs accounted for 4.2% and executables 1.5%.
Attackers are also becoming more creative, according to the research. One recent campaign used multiple programming languages in an effort to avoid detection. The payload was encrypted using Go before switching to C++ in order to interact with the victim’s operating system before running .NET malware.
According to Schläpfer, attackers are becoming more knowledgeable about their target systems, making it easier to exploit gaps or vulnerabilities. He said: “By knowing which doors to push, they can navigate internal systems with ease, using relatively simple techniques in very effective ways – without sounding the alarm”.
With email remaining the top attack vector, the advice for administrators remains the same. Dr Ian Pratt, global head of security for personal systems at HP, commented that while attack chains might vary, the initiation methods tended to remain the same: “It inevitably comes down to the user clicking on something”.
“Instead of trying to second guess the infection chain, organizations should isolate and contain risky activities such as opening email attachments, clicking on links, and browser downloads.”
Richard Speed is an expert in databases, DevOps and IT regulations and governance. He was previously a Staff Writer for ITPro, CloudPro and ChannelPro, before going freelance. He first joined Future in 2023 having worked as a reporter for The Register. He has also attended numerous domestic and international events, including Microsoft's Build and Ignite conferences and both US and EU KubeCons.
Prior to joining The Register, he spent a number of years working in IT in the pharmaceutical and financial sectors.